Bugcheck Analysis

OSR_Community_User · February 16, 2005, 4:18am

Hi,

I do have a Bugcheck Analysis of my filter driver (see below) and I am not
sure if I interpret it right. The Bugcheck occurs in a piece of code like
this:

NTSTATUS KLowerDevice::Call(KIrp I)
{
return IoCallDriver(m_pDeviceObject, I.m_Irp);
}

The compiler generates this:

00031 8b 55 08 mov edx, DWORD PTR _I$[ebp]
00034 8b 4d fc mov ecx, DWORD PTR _this$[ebp]
00037 8b 49 04 mov ecx, DWORD PTR [ecx+4]
0003a ff 15 00 00 00
00 call DWORD PTR xxxxx@IofCallDriver@8

I think the Bugcheck “says”, that the “this-pointer” isn’t valid anymore
(means the object has been deleted). Is this correct?

Thanks in
advance
Dirk

*******************************************************************************
*
*
* Bugcheck Analysis
*
*

*
*******************************************************************************

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M (1000007e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but …
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
An exception code of 0x80000002 (STATUS_DATATYPE_MISALIGNMENT) indicates
that an unaligned data reference was encountered. The trap frame will
supply additional information.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: ef4fe7c7, The address that the exception occurred at
Arg3: f8996c30, Exception Record Address
Arg4: f8996930, Context Record Address

Debugging Details:

***** Kernel symbols are WRONG. Please fix symbols to do analysis.

Database SolnDb not connected

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at “0x%08lx”
referenced memory at “0x%08lx”. The memory could not be “%s”.

FAULTING_IP:
myfilter+137c7
ef4fe7c7 8b4904 mov ecx,[ecx+0x4]

EXCEPTION_PARAMETER1: f8996c30

CONTEXT: f8996930 – (.cxr fffffffff8996930)
eax=0000000a ebx=81fca8b8 ecx=00000004 edx=81ad6368 esi=8054f11c
edi=81ad60fc
eip=ef4fe7c7 esp=f8996cf8 ebp=f8996cfc iopl=0 nv up ei ng nz na pe
nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010282
myfilter+137c7:
ef4fe7c7 8b4904 mov ecx,[ecx+0x4]
ds:0023:00000008=???
Resetting default context

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x7E

LAST_CONTROL_TRANSFER: from ef4fe788 to ef4fe7c7

STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be
wrong.
f8996cfc ef4fe788 81ad6368 81c29940 f8996d5c myfilter+0x137c7
f8996d0c ef4f1e3d 81ad6368 00000001 81adba58 myfilter+0x13788
f8996d5c ef4f398f 81ad60fc f8996d7c ef4f262f myfilter+0x6e3d
f8996d68 ef4f262f 81ad60fc 81c29940 81ad60fc myfilter+0x898f
f8996d7c 805296ad 81ad60fc 00000000 81fca8b8 myfilter+0x762f
f8996dac 805b282c 81ad60fc 00000000 00000000 nt+0x556ad
f8996ddc 8053602a 805295c0 00000001 00000000 nt+0xde82c
00000000 00000000 00000000 00000000 00000000 nt+0x6202a

FOLLOWUP_IP:
myfilter+137c7
ef4fe7c7 8b4904 mov ecx,[ecx+0x4]

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: myfilter+137c7

MODULE_NAME: Unknown_Module

IMAGE_NAME: Unknown_Image

DEBUG_FLR_IMAGE_TIMESTAMP: 0

STACK_COMMAND: .cxr fffffffff8996930 ; kb

BUCKET_ID: WRONG_SYMBOLS

Followup: MachineOwner

–
DSL Komplett von GMX +++ Supergünstig und stressfrei einsteigen!
AKTION “Kein Einrichtungspreis” nutzen: http://www.gmx.net/de/go/dsl

OSR_Community_User · February 16, 2005, 4:31am

If I understand what you wrote, it means the this pointer is null, which means you called through a bad pointer.
See where the pointer you called into the current function from is supposed to be setup. (Most likely in the
stack above your current one).

-Jeff

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmx.de
Sent: Wednesday, February 16, 2005 4:18 AM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] Bugcheck Analysis

Hi,

I do have a Bugcheck Analysis of my filter driver (see below) and I am not sure if I interpret it right. The Bugcheck occurs in a piece of code like
this:

NTSTATUS KLowerDevice::Call(KIrp I)
{
return IoCallDriver(m_pDeviceObject, I.m_Irp);
}

The compiler generates this:

00031 8b 55 08 mov edx, DWORD PTR _I$[ebp]
00034 8b 4d fc mov ecx, DWORD PTR _this$[ebp]
00037 8b 49 04 mov ecx, DWORD PTR [ecx+4]
0003a ff 15 00 00 00
00 call DWORD PTR xxxxx@IofCallDriver@8

I think the Bugcheck “says”, that the “this-pointer” isn’t valid anymore (means the object has been deleted). Is this correct?

Thanks in
advance
Dirk

*******************************************************************************
*
*
* Bugcheck Analysis
*
*

*
*******************************************************************************

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M (1000007e)
This is a very common bugcheck. Usually the exception address pinpoints the driver/function that caused the problem. Always note this address as well as the link date of the driver/image that contains this address. Some common problems are exception code 0x80000003. This means a hard coded breakpoint or assertion was hit, but this system was booted /NODEBUG. This is not supposed to happen as developers should never have hardcoded breakpoints in retail code, but … If this happens, make sure a debugger gets connected, and the system is booted /DEBUG. This will let us see why this breakpoint is happening. An exception code of 0x80000002 (STATUS_DATATYPE_MISALIGNMENT) indicates that an unaligned data reference was encountered. The trap frame will supply additional information.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: ef4fe7c7, The address that the exception occurred at
Arg3: f8996c30, Exception Record Address
Arg4: f8996930, Context Record Address

Debugging Details:

***** Kernel symbols are WRONG. Please fix symbols to do analysis.

Database SolnDb not connected

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at “0x%08lx” referenced memory at “0x%08lx”. The memory could not be “%s”.

FAULTING_IP:
myfilter+137c7
ef4fe7c7 8b4904 mov ecx,[ecx+0x4]

EXCEPTION_PARAMETER1: f8996c30

CONTEXT: f8996930 – (.cxr fffffffff8996930)
eax=0000000a ebx=81fca8b8 ecx=00000004 edx=81ad6368 esi=8054f11c edi=81ad60fc
eip=ef4fe7c7 esp=f8996cf8 ebp=f8996cfc iopl=0 nv up ei ng nz na pe
nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010282
myfilter+137c7:
ef4fe7c7 8b4904 mov ecx,[ecx+0x4]
ds:0023:00000008=???
Resetting default context

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x7E

LAST_CONTROL_TRANSFER: from ef4fe788 to ef4fe7c7

STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong. f8996cfc ef4fe788 81ad6368 81c29940 f8996d5c myfilter+0x137c7 f8996d0c ef4f1e3d 81ad6368 00000001 81adba58 myfilter+0x13788 f8996d5c ef4f398f 81ad60fc f8996d7c ef4f262f myfilter+0x6e3d f8996d68 ef4f262f 81ad60fc 81c29940 81ad60fc myfilter+0x898f f8996d7c 805296ad 81ad60fc 00000000 81fca8b8 myfilter+0x762f f8996dac 805b282c 81ad60fc 00000000 00000000 nt+0x556ad f8996ddc 8053602a 805295c0 00000001 00000000 nt+0xde82c 00000000 00000000 00000000 00000000 00000000 nt+0x6202a

FOLLOWUP_IP:
myfilter+137c7
ef4fe7c7 8b4904 mov ecx,[ecx+0x4]

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: myfilter+137c7

MODULE_NAME: Unknown_Module

IMAGE_NAME: Unknown_Image

DEBUG_FLR_IMAGE_TIMESTAMP: 0

STACK_COMMAND: .cxr fffffffff8996930 ; kb

BUCKET_ID: WRONG_SYMBOLS

Followup: MachineOwner

–
DSL Komplett von GMX +++ Superg?nstig und stressfrei einsteigen! AKTION “Kein Einrichtungspreis” nutzen: http://www.gmx.net/de/go/dsl

Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@concord.com To unsubscribe send a blank email to xxxxx@lists.osr.com

***********************************************************************************
This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secured or error-free as information could be intercepted, corrupted, lost, destroyed, received late or incomplete, or could contain viruses. The sender therefore does not accept liability for any error or omission in the contents of this message, which arises as a result of e-mail transmission. If verification is required, please request a hard-copy version from the sender.
***********************************************************************************

OSR_Community_User · February 16, 2005, 4:35am

First - the debugger reports you that your symbols are wrong.
Fix the symbols for the operating system, e.g. using
MS Symbol Server

Second - it would be good to give WinDbg symbols
for your filter, it will point the right place where that
access violation occurred.

L.